Office (OLE) malware analysis — malicious · 7c21e86e322b46d2

MALICIOUS

Office (OLE)

172.6 KB Created: 2001-12-14 14:26:00 Authoring application: Microsoft Word 9.0

MD5: 6b3289006cf60cab9fd4a47293446d00 SHA-1: 097dec23bbf0e8aa88a78b0e0f8ac16bf8be55f6 SHA-256: 7c21e86e322b46d29d9ae542ad98f431506c96aa7bffdc74b7c8a5db256f1ab0

100 Risk Score

Malware Insights

MITRE ATT&CK

T1203 Exploitation for Client Execution

The sample is a Microsoft Word document that contains a malformed table structure, triggering the CVE-2006-6456 vulnerability. This vulnerability allows for arbitrary code execution when the document is opened. The large slack space in the OLE structure is also anomalous and may be used to hide malicious content.

Heuristics 2

CVE-2006-6456 — Microsoft Word malformed table SPRM critical CVE exact CVE_2006_6456

WordDocument contains a malformed table border-color SPRM in the CVE-2006-6456 shape: a valid table-SPRM cluster is followed by an invalid high-byte 0xFF SPRM where Word expects a normal sprmTBrc*Cv record. Vulnerable Word 2000/2002/2003 parsers corrupt memory while handling this malformed data structure.
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY

OLE file is 176,751 bytes but its declared streams total only 94,801 bytes — 81,950 bytes (46%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).

Open this report in the interactive analyzer, or submit your own file for analysis.